The above Vlan x will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.

So, in your router/switch, among Vlans you assigned to firewall van group 1, you can only have 1 Vlan with Layer 3 status (meaning assigned with IP on its Vlan interface). Other Vlans should exists as Layer 2 Vlans only (you don't see them as interface Vlan xx if you issue 'sh run', and no IP Address).

Alternatively, you can remove the command "firewall vlan-group 1 501,803,852,855,857,873-875,880-882,891", and re-add it again with Vlan 801, as follow:

firewall vlan-group 1 501,801,803,852,855,857,873-875,880-882,891

This will not delete your FWSM configuration associated with the Vlans.

In the above example, the above Vlan 501 will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.

Re: FWSM/SUP720 - vlan-group command

If I am not wrong, it will append it to the group.

But to be safe, you can always remove and re-add new Vlan to the "firewall vlan-group 1 xx,xx,xx". The setback, it will temporary disconnect communication to all Vlans behind FWSM, but will not affect the config on router/FWSM. To do it fast, copy & paste the command to the router/switch.

Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...
view more